Loading

SOCI Act regulatory obligations

​​​​​​Critical infrastructure asset (CI asset) owners, operators, and direct interest holders must meet legal obligations under the Security of Critical Infrastructure Act 2018 (the SOCI Act). The type of obligations that apply to you will depend on the role you have in relation to the CI asset, and the type of CI asset.

The SOCI Act applies positive security obligations that seek to ensure CI assets have embedded risk management, preparedness, and resilience as business-as-usual practices. These obligations also improve information exchange between industry and government to build a more comprehensive understanding of the national threat environment.

The obligations are:

  • Notification to data service providers (subsection 12F(3) of the SOCI Act)
  • Provide operational and ownership information to the register of critical infrastructure assets (Part 2 of the SOCI Act)
  • Report cyber incidents which have a relevant or significant impact on a CI asset (Part 2B of the SOCI Act)
  • Adopt, maintain and comply with a written risk management program (Part 2A of the SOCI Act).

There are also additional obligations specific to critical telecommunications assets and systems of national significance.

The obligations that you must meet will depend on whether you are a responsible entity or a direct interest holder for a CI asset, and the type of CI asset. The responsible entity for each asset class will vary. The definition for the responsible entity for each asset class can be found in section 12L of the SOCI Act. 

A direct interest holder is an entity (e.g. individual, company or trust) that holds either:

  • a direct or joint interest of at least 10% in the asset, together with any associates
  • an interest in the asset that puts the entity in a position to directly or indirectly influence or control the asset.

Direct interest holders only have the obligation to register if you have a direct interest in the CI asset.

For more information about what a critical infrastructure asset is, go to our page on the Security of Critical Infrastructure Act 2018 (SOCI).

If you are not sure whether these obligations apply to your critical infrastructure asset, read our Critical Infrastructure Asset Class Definition Guidance.

Obligation to notify data service providers

Entities must notify external data service providers if they are storing or processing business critical data for a CI asset. This ensures that companies that handle sensitive data are aware that they may also have obligations under the SOCI Act. It will also ensure that they treat the security of the data appropriately.

This obligation applies to all CI assets.

For more information on how this obligation might apply to you, read the Obligation to notify data storage or processing providers Factsheet​​.

Positive security obligations

There are three positive security obligations which apply to most CI assets.